To consider the following report:
· GDPR
· Social Media
Minutes:
The committee considered the Mazars report on the audit of General Data Protection Regulations
(Evaluation assurance: Substantial. Testing assurance: Substantial).
The audit raised two Priority 2 recommendations and one priority 3 recommendation as follows:
Recommendation 1: Framework to be implemented for conducting Privacy Impact Assessments in line with the guidance on such processes contained in GDPR (Priority 2).
Recommendation 2: All staff to complete GDPR mandatory training (Priority 2)
Recommendation 3: Incident Management Policy to be updated with a workflow document (Priority 3)
The committee took into account the responses of J Worts, Information Security Team Leader to the recommendations and circulated with the agenda.
Cllr Taylor expressed regret that no full record had been kept of the names and number of staff who had attended the staff training at Cupid Green, but assured the committee that the attendance had been good and all staff were aware that their attendance is mandatory.
He then went on to lead a discussion on the provision of training for Councillors, stressing that they should be treated the same as staff and attendance at training should be mandatory. Cllr Douris wanted the Member training to be ‘obligatory’.
MT advised that he has found no evidence that member training is mandatory in any of the authorities he examined. However he stressed that it is a ‘must’ that anyone who has access to and handles data must undergo some form of training. In his opinion the Information Commissioner would expect this as a minimum.
JD confirmed that 400 of the council’s 490 staff have been trained, though some training attendance had not been recorded. He advised the committee that a revised ‘flow-chart’ had been produced in response to recommendation 3 and the process examined and reduced to three simple steps.
Cllr McLean wanted to know what DBCs position would be if our IT was ‘hacked’? Would we be liable; could we be fined; and is there a budget to deal with such a contingency. Both J Deane and the auditors pointed out that in such a case we would have to evidence that we had taken all reasonable steps to avoid such an incident and have policies and procedures in place to mitigate the effects of any error. All large organisations are being very careful and doing all they can to protect data and DBC are doing all we can to protect our residents data as we do not wish to fall foul of the Information Commissioners Office. Cllr McLean was reassured by the fact that we had an officer designated to monitor the Council’s GDPR arrangements.
The committee considered the Mazars report on the audit of Social Media
(Evaluation assurance: Full. Testing assurance: Substantial).
The audit raised two Priority 3 recommendations as follows:
Recommendation 1: The responsibility for providing training on Social Media should be formally assigned (Priority 3); and
Recommendation 2: The Social Media training process should be formalised and updated when necessary to take into account developments in Social Media (Priority 3)
The audit was introduced by MT who went through the recommendations and his dealings with the Communications section.
Cllr McLean asked who responds on the council’s behalf to social media postings: is it an individual or a group. His concern was that an errant individual might damage the council’s reputation with an inappropriate post. K Soley, Communications ? Consultation Team Leader, advised the committee that in general, individual staff members have the potential to respond though the monitoring software used at Dacorum prevents council systems being abused or used as a means of abusing others.
Supporting documents: